This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
‎2022-03-04 12:18 AM

Is there a way to create a byass/exception for DNS Sinkhole?

Hello Check Mates

Is there a way to create a byass/exception for DNS Sinkhole?

Sometimes we run into some special scenarios when running DNS Sinkhole.
The good thing, this feaure works great, but sometimes too great.

 

For example:
Some customers are conductiong Phishing Awareness trainings, they send out special crafted training emails and teach their personal not to click on any of those funny links.
With DNS Sinkhole in place this never works, it always kills the DNS request.
For some special DNS resources we will need exclusions to allow them, even when Check Point is convinced this resources are highly infected and super evil ...

Has somone ever ran into these? 

best regards

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-03-04 07:17 AM

Normal exceptions for the site/domain on your TP rule should do the trick?

Refer: https://community.checkpoint.com/t5/Threat-Prevention/DNS-Reputation-Exception/m-p/55745

CCSM R77/R80/ELITE
Timothy_Hall
Legend Legend
Legend
‎2022-03-04 10:04 AM

Probably the best way to do this is to first define a Custom Application/Site site object that has the site name/URL of the legit phishing server in it.  Then create a global TP exception and in the Protection/Site/File/Blade column select "User Applications", and then select the custom site name you made.   Next set the Action of the new exception to Detect or Inactive.  This should exclude any enforcement against that site name and would definitely work for the five TP blades, but the Malware DNS trap is kind of in its own little world to some degree and this exception may not work properly.  You'll have to try it and see what happens.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events